Port 8 (Echo Request)
Results 1 to 10 of 10

Thread: Port 8 (Echo Request)

  1. #1
    Member
    Join Date
    Aug 2003
    Posts
    37

    Post Port 8 (Echo Request)

    Hello group:

    I wonder if anyone can help me understand what the Port 8 (echo request) is. We have had hundreds (many) over the past week hitting our firewall. Can this cause problems with crc errors on our router and the framing errors?

    Thank you for your assistance.


    DarkCarniv0l

  2. #2
    Senior Member
    Join Date
    May 2002
    Posts
    344
    Port 8--echo request (type 8). There is also something called echo reply (type 0). An echo request message broadcast to all machines in a network address space generates Echo Reply messages, in return, from all hosts responding on the network. Hope this helps a little. I dont think that they can cause any harm, but i dunno, someone else here might know.

    PS- I live in Palo Alto!
    Support your right to arm bears.


    ^^This was the first video game which i played on an old win3.1 box

  3. #3
    Member
    Join Date
    Aug 2003
    Posts
    98
    here is some hardcore techy stuff on that subject for you:

    http://www.networksorcery.com/enp/pr.../icmp/msg8.htm
    I hate this place, nothing works here, I\'ve been here for 7 years, the medication does\'nt work...

  4. #4
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    From the definition white eskimo gave, it almost sounds like some is tring to figure out which hosts are active on your network.

    Can you look in your logs and see if there is anythng else from the IP sending the echo requests, like portscans, finger etc.
    =

  5. #5
    Senior Member
    Join Date
    May 2002
    Posts
    344
    lol pretty hard core definition, i actually didnt think of it all by myself, i used one sentence out of a book, i dont think i need to cite the book, but i will because my history teacher once gave me an F for not citing something.

    Linux Firewalls written by Robert L. Ziegler publisher-New Reiders year published-2000.

    Dont give me any of that MLA format crap, i really dont need to hear it

    Also, just like cheyenne said, this guy (or maybe and hopefully its multipule people orelse it would be kinda wierd) is trying to figure out what hosts are online and active on your networks. This isnt a threat and you shouldnt be worried about it. If it is just one guys and he is contanstly checking, now thats getting to be a little funky. I wouldnt worry about it, you could check your logs for extra safety, but this sounds normal
    Support your right to arm bears.


    ^^This was the first video game which i played on an old win3.1 box

  6. #6
    Junior Member
    Join Date
    Jun 2003
    Posts
    14
    I've been fighting a battle @ work with the same problem (except on the inside of our network)

    I've isolated it to the Nachi virus. According to ISS Nachi uses a type 8 requests to make it spread more efficiently than the original MSBlaster worm.

    When we have a host infected with Nachi, I have noticed that the host shows signs of type 8 echo requests, ping flooding, syn flooding, SMB password failures (where it tries to exploit network shares to propagate), and also attempts on an IIS exploit and a Netscape Server exploit (also used for propagation)

    If you are seeing these signs combined with type 8 echo requests, I would dig deeper to see if you can find nachi. (Nachi can be prevented by using the MS patch from Microsoft to fix the RPC DCOM vulnerability)

    Here is my attempt @ a plain English explanation of a Type 8 echo request...

    Depending on your familiarity with network addressing, here is a simple answer of what happens.

    You have a network address....in this example 192.168.1.1/24 (or class C, or with a subnet mask of 255.255.255.0)

    The network address is 192.168.1.0
    The Broadcast address is 192.168.1.255

    If I send a type 8 echo request to the network or broadcast address, everything on that network will respond.

    To expand on this a bit more to show the possible impact...

    A Class C address space has 255 addresses available. That means 254 available addresses to be used by hosts (255 - the network address of 192.168.1.0 that can't be used by a host and - 192.168.1.255 that can't be used because it is the network address)

    If you have a full Class C network with 254 hosts if I send a type 8 echo request to 192.168.1.0 or 192.168.1.255 it will generate a response from all 254 hosts.

    This tactic is also called a Smurf attack and it is a tactic commonly employed in Denial of Service attacks.

    Hope this info is helpful =)

    Tfunk

  7. #7
    Senior Member
    Join Date
    Aug 2003
    Posts
    205
    Darkcarniv0l,

    Here is another link, just as others have stated,,it is message type 8 (not port 8..dont confuse the two) http://www.tech-free.com/link%20file...sg%20types.htm

    cheers

  8. #8
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Most likely what you are seeing (If the ICMP dest IP's are in sequential order) is a ping sweep being performed by the Welchia virus. It uses the ICMP ping to find other machines to infect and can bring a network down with a flood ICMP packets.


    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  9. #9
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Ok we have a slight amount of confusion here.

    ICMP packet *type* 8 = echo_request

    This is NOT a PORT number. ICMP does not have ports.

    TCP / UDP port 7 = echo service

    This is different from ICMP echo

    the "echo" service is a trivial TCP / UDP service which can be set up under most OSs. It is not normally enabled however, in particular because there is a nasty DoS which can be done by finding two UDP based echo services, and spoofing packets to one from the other - it causes an infinite loop (dunno if modern echo service implementations have protection against this)

    Under Unix it gets implemented by inetd (if enabled) - under M$ it's something called "trivial tcp services" or something (IIRC) - but hopefully nothing really enables it any more.

    Slarty

  10. #10
    Member
    Join Date
    Aug 2003
    Posts
    37

    Thumbs up Port 8 (echo request)

    Thank you all for the wealth of information. It is very helpful and much appreciated.

    DarkCarniv0l

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •